php-openid 2.0.0 has broken support for HMAC-SHA256
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
php-openid (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: php-openid
php-openid-2.0.0 does not correctly deal with associations of type HMAC-SHA256. The code only supports the generation of HMAC-SHA1 signatures, but it fails to reject attempts at a HMAC-SHA256 connection with an "unsupported-type" error code as http://
This bug here might be contributing to bug #313703, although there might be more in that bug. The solution is probably the same, though: updating to 2.1.3 as available in karmic. It shouldn't be too difficult to backport this package to hardy and jaunty, and maybe to intrepid as well. Maybe the package from karmic can be taken as is.